Hi, I installed the Tumbleweed on my laptop recently. I followed the instruction to enable the hibernation but it’s not working. is there any step I missed?
What I did is:
- Create a swap partition when installing the system.(My RAM is 48 GiB and I set swap to 49 GiB)
- Get the UUID of swap partion then add it to boot parameter(resume=UUID=xxxx)
- Then try
sudo systemctl hibernate to test the hibernate but get error: Call to Hibernate failed: Sleep verb 'hibernate' is not configured or configuration is not supported by kernel
My lattop is Thinkpad T14 G2, is any configuration I missed for hibernate?
@TachikomaBot Hi and welcome to the Forum 
If you have secure boot enabled then hibernation is disabled due to kernel lock down.
3 Likes
Hi, thanks your quick reply. So, I should try to disable the secure boot in BIOS, right?
Yes, that should be sufficient
Thanks! I turn off the secure boot then hibernate works!
i want to add it is only locked because it’s not encrypted if you want to hibernate while using secure boot you have to be encrypte swap
look at kernel lockdown man kernel_lockdown
2 Likes
The man page fails to explain how to encrypt the swap partition – the following is needed to enable hibernation with secure boot enabled:
#
## ** kernel: PM: hibernation: the secret key is invalid **
#
# echo 1 > /sys/firmware/efi/secret-key/regen
#
## Reboot.
#
1 Like
Mea culpa – currently on Tumbleweed, the “secret-key” directory doesn’t exist – 
# find /sys/firmware/ -iname '*secret*'
#
@exception I don’t see that here…
Tumbleweed, Secure Boot enabled, swap (zram) encrypted;
inxi -Ixxx
Info:
Memory: total: 32 GiB note: est. available: 30.73 GiB used: 1.76 GiB (5.7%)
Processes: 267 Power: uptime: 0h 1m states: freeze,mem suspend: deep wakeups: 0
hibernate: disabled Init: systemd v: 259 default: graphical
fwupdmgr security
....
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✔ UEFI db: Valid
Tumbleweed, Secure Boot disabled, swap (zram) encrypted;
Info:
Memory: total: 64 GiB note: est. available: 62.69 GiB used: 3.82 GiB (6.1%)
Processes: 559 Power: uptime: 0h 27m states: freeze,mem,disk suspend: deep
wakeups: 0 hibernate: platform Init: systemd v: 259 default: graphical
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux swap: Encrypted
✔ UEFI db: Valid
✘ Linux kernel lockdown: Disabled
✘ Linux kernel: Tainted
✘ UEFI secure boot: Disabled
poeple having problems with it too in debian
https://forums.debian.net/viewtopic.php?t=159433
i didn’t test it myself but according to the kernel manual it should work
i will try it on the fowling days to encrypt swap and see what the conditions
i had this problem and i had to disable secureboot temporally until i solve it
if i have to guess i think it want full encrypted system i am not sure yet
if i got anything i will get back to you
Here with a Tumbleweed resulting from a Leap 16.0 distribution upgrade – Secure Boot; SELinux –
> kinfo
Operating System: openSUSE Tumbleweed 20260327
KDE Plasma Version: 6.6.3
KDE Frameworks Version: 6.24.0
Qt Version: 6.10.2
Kernel Version: 6.19.9-1-default (64-bit)
Graphics Platform: Wayland
Processors: 12 × AMD Ryzen 5 8600G w/ Radeon 760M Graphics
Memory: 34 GB of RAM (32.8 GB usable)
Graphics Processor: AMD Radeon 760M Graphics
>
> ls -aldZ /etc/crypttab
-rw-------. 1 root root system_u:object_r:etc_t:s0 97 7. Apr 2024 /etc/crypttab
>
> rpm --query --whatprovides /etc/crypttab
file /etc/crypttab is not owned by any package
>
> LANG=C fwupdmgr security
Host Security ID: HSI:1! (v2.0.20)
.
.
Runtime Suffix -!
? CET-BS support: Supported
? fwupd-Plugins: Untainted
? Linux-Kernel lockdown: Enabled
? Linux-Kernel: Untainted
? UEFI-DB: Not found
? Linux swap: Unencrypted
This system has HSI runtime issues.
? https://fwupd.github.io/hsi.html#hsi-runtime-suffix
.
>
> lsblk /dev/sda3 --fs
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda3
└─cr_swap swap 1 cr_swap a670b325-9a67-4b0d-9770-5ec66e62d22a [SWAP]
>
# cat /etc/crypttab
cr_swap /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3 /dev/urandom swap
#
# LANG=C swapon --summary
Filename Type Size Used Priority
/dev/dm-0 partition 2097600 0 -1
#
# inxi -xxx --info
Info:
Memory: total: 32 GiB note: est. available: 30.51 GiB used: 8.08 GiB (26.5%)
Processes: 422 Power: uptime: 3h 31m states: freeze,mem suspend: deep
wakeups: 0 hibernate: disabled Init: systemd v: 259 default: graphical
Packages: pm: rpm pkgs: N/A note: see --rpm Compilers: clang: 21.1.8
alt: 15/15.0/15.0/19 gcc: 15.2.1 Shell: Bash (su) v: 5.3.9
running-in: konsole inxi: 3.3.40
#
# inxi -xxx --swap -l
Swap:
ID-1: swap-1 type: partition size: 2 GiB used: 0 KiB (0.0%) priority: -1
dev: /dev/dm-0 mapped: cr_swap label: cr_swap
#
- I’m assuming that, the /etc/crypttab file was created by Leap ?? in 2024 and simply inherited by everything that followed …
- Theoretically, Tumbleweed should re-encrypt the swap partition at every boot using a key from –
/dev/urandom.
- I suspect that, it doesn’t because – the crypttab entry doesn’t have any of the following entries:
cipher=
size=
sector-size=
Does anyone know which cipher should be specified?
- The value in the ArchWiki “dm-crypt/Swap encryption” page – “aes-xts-plain64” doesn’t exist in the content of “/proc/crypto” of this Tumbleweed system.
So is TPM is the Only Solution
is it have to be fully encrypted using TPM to work ?
And, I’m completely bluffed – today’s system Journal –
Mär 30 08:51:38 systemd[1]: Starting Cryptography Setup for cr_swap...
Mär 30 08:51:38 systemd-cryptsetup[1115]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3.
Mär 30 08:51:39 kernel: device-mapper: uevent: version 1.0.3
Mär 30 08:51:38 systemd-makefs[1129]: /dev/mapper/cr_swap successfully formatted as swap (label "cr_swap", uuid a670b325-9a67-4b0d-9770-5ec66e62d22a)
Mär 30 08:51:39 kernel: device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev
Mär 30 08:51:38 systemd[1]: Finished Cryptography Setup for cr_swap.
Mär 30 08:51:39 kernel: Key type trusted registered
Mär 30 08:51:38 systemd[1]: Reached target Block Device Preparation for /dev/mapper/cr_swap.
Mär 30 08:51:39 kernel: Adding 2097600k swap on /dev/mapper/cr_swap. Priority:-1 extents:1 across:2097600k SS
Mär 30 08:51:38 systemd[1]: Reached target Local Encrypted Volumes.
Mär 30 08:51:38 systemd[1]: Found device /dev/mapper/cr_swap.
Mär 30 08:51:38 systemd[1]: Activating swap /dev/mapper/cr_swap...
Mär 30 08:51:38 systemd[1]: Activated swap /dev/mapper/cr_swap.
Mär 30 08:51:38 systemd[1]: Reached target Swaps.
# systemctl status systemd-cryptsetup@cr_swap.service
● systemd-cryptsetup@cr_swap.service - Cryptography Setup for cr_swap
Loaded: loaded (/etc/crypttab; generated)
Active: active (exited) since Mon 2026-03-30 08:51:38 CEST; 7h ago
Invocation: a267384e0ed541298e97cb0dec83acac
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 1115 ExecStart=/usr/bin/systemd-cryptsetup attach cr_swap /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3 /dev/urandom swap (code=exited, status=0/SUCCESS)
Process: 1129 ExecStartPost=/usr/lib/systemd/systemd-makefs swap /dev/mapper/cr_swap (code=exited, status=0/SUCCESS)
Main PID: 1115 (code=exited, status=0/SUCCESS)
CPU: 32ms
Mär 30 08:51:38 xxx systemd[1]: Starting Cryptography Setup for cr_swap...
Mär 30 08:51:38 xxx systemd[1]: Finished Cryptography Setup for cr_swap.
#
–
The systemd Journal and systemd service status indicate that, the Swap partition is encrypted.
The “firmware update manager client utility” maintains that, the Swap partition is not encrypted …
Shall I believe one or, the other? 
@dcurtisfra use fwupdmgr security --show-all and follow the link.
@malcolmlewis:
Malcom, sorry for the German – but the URL, after the ‘#’ is not valid –
Laufzeit-Suffix -!
.
.
✘ Linux-Auslagerung: Entschlüsselt: https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Kernel.Swap`
<https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Kernel.Swap>
- Unencrypted swap partition. [v1.5.0]
Which then points to the the ArchWiki dm-crypt page.
Looking at the HSI-2 and HSI-3 reports it seems that, my ASUS AMD B850-PLUS-CSM mainboard’s chip set has some issues UEFI security issues – which is possibly why AMD has discontinued the production of that chip set …
- Looking at the ASUS web site, there’s (at last) a BIOS update for the mainboard which was in Beta test status for the last few months – I’ll install it and see what happens – after reviewing the “Early-boot UEFI Memory Protections” which affect the NX protection for UEFI runtime services for DeviceGuard compliance.
Now with the newest ASUS BIOS – it didn’t help to resolve the fwupdmgr issue but, the systemd Journal has the following entries:
Mär 31 12:40:18 kernel: NX (Execute Disable) protection: active
.
.
Mär 31 12:40:26 systemd[1]: Starting Cryptography Setup for cr_swap...
Mär 31 12:40:27 kernel: device-mapper: uevent: version 1.0.3
Mär 31 12:40:26 systemd-cryptsetup[1114]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA000000000000035990-part3.
Mär 31 12:40:27 kernel: device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev
Mär 31 12:40:26 systemd-makefs[1128]: /dev/mapper/cr_swap successfully formatted as swap (label "cr_swap", uuid e951da32-937e-4945-af40-fc3d01dcd057)
Mär 31 12:40:27 kernel: Key type trusted registered
Mär 31 12:40:26 systemd[1]: Finished Cryptography Setup for cr_swap.
Mär 31 12:40:27 kernel: Adding 2097600k swap on /dev/mapper/cr_swap. Priority:-1 extents:1 across:2097600k SS
Mär 31 12:40:26 systemd[1]: Reached target Block Device Preparation for /dev/mapper/cr_swap.
Mär 31 12:40:26 systemd[1]: Reached target Local Encrypted Volumes.
Mär 31 12:40:26 systemd[1]: Found device /dev/mapper/cr_swap.
Mär 31 12:40:26 systemd[1]: Activating swap /dev/mapper/cr_swap...
Mär 31 12:40:26 systemd[1]: Activated swap /dev/mapper/cr_swap.
Mär 31 12:40:26 systemd[1]: Reached target Swaps.
Also this:
# systemctl status systemd-cryptsetup@cr_swap.service
● systemd-cryptsetup@cr_swap.service - Cryptography Setup for cr_swap
Loaded: loaded (/etc/crypttab; generated)
Active: active (exited) since Tue 2026-03-31 12:40:26 CEST; 13min ago
Invocation: 0bc2c450d9944c4ab67740c33e675f93
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 1114 ExecStart=/usr/bin/systemd-cryptsetup attach cr_swap /dev/disk/by-id/ata-Intenso_SSD_Sata_III_AA00000>
Process: 1128 ExecStartPost=/usr/lib/systemd/systemd-makefs swap /dev/mapper/cr_swap (code=exited, status=0/SUCCESS)
Main PID: 1114 (code=exited, status=0/SUCCESS)
CPU: 32ms
Mär 31 12:40:26 xxx systemd[1]: Starting Cryptography Setup for cr_swap...
Mär 31 12:40:26 xxx systemd[1]: Finished Cryptography Setup for cr_swap.
#
I probably need a new mainboard with another, supported, current, AMD chip set …